Impact
The vulnerability permits an authenticated user to modify the company ID parameter in a POST request, bypassing the application’s validation of the tenant context. This enables the attacker to access, view and potentially alter sensitive customer data from other companies within the same subdomain environment. The flaw is identified as CWE‑639, reflecting a failure to properly verify authorisation.
Affected Systems
The affected product is Adiss Biloop. No specific version information is provided in the report; any deployed instance of the application is potentially vulnerable until patched.
Risk and Exploitability
With a CVSS score of 9.3 the risk is severe. The EPSS score is < 1%, indicating a very low but non‑zero exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to be an authenticated user; from that state the attacker can manipulate a single parameter in the backend API, bypassing cross‑tenant checks. The exploit is straightforward against the web application and does not require privileged external access.
OpenCVE Enrichment